How to Make Your TYPO3 Application GDPR Compliant

The European General Data Protection Regulation coming into effect on 25 May 2018 has implications that affect every aspect of planning, developing, and maintaining websites and web applications. GDPR promises users greater protection, transparency, and control. Find out what you need to know about GDPR.

In this article, we’ll look at how the upcoming TYPO3 GDPR release will help you design GDPR compliant applications. We’ll look at both TYPO3 core features available out of the box, as well as how the GDPR extension helps you build GDPR compliant applications.

Important note: This article does not constitute legal advice.

GDPR Compliance and TYPO3

For those who are designing applications and websites, the regulations affect every aspect of designing, building, and maintaining services that handle personal data and users.

Data: What data is captured? How is it captured and stored? How do these interact with third-party systems?

Consent: Did you get explicit consent from users?

Control: Do users have control over the data you store? They must also be able to withdraw their consent.

Communications: Is it clear who to contact? Are there procedures in place for breach notifications?

I’ve been collaboration on the GDPR initiative to make TYPO3 CMS core “GDPR ready.” This will mean it’s easier for TYPO3 agencies and developers to create applications that protect users’ privacy by default and design.

TYPO3 CMS and Privacy by Default

TYPO3 acts defensively when it comes to collecting privacy-related data and follows the principle of “privacy by default”.

Cookies

By default, no cookies are set for anonymous website visitors. Cookies are only set for required functionality such as logins and shopping carts. Likewise, access for users such as editors, administrators, and maintainers always requires setting cookies to ensure authorization and handle permissions.

IP Addresses

The following modules collect the IP address during user interactions, but they can be configured to anonymize these IP addresses to protect user data. See Anonymize IP addresses below.

indexed_search: TYPO3’s default search collects the IP address for every search. It’s possible to configure this to log only the anonymized IP address.

sys_log: TYPO3 collects the IP addresses of editors in this log as they perform actions on the site. As the IP address is required to reconstruct actions and logins the IP address will be fully persisted but can be anonymized in a later action.

External Media

Content editors can embed third-party videos such as YouTube. By default, TYPO3 uses the recommended embed URL https://www.youtube-nocookie.com/ to improve the privacy of website visitors.

Privacy Improving Tools and APIs

TYPO3 CMS core provides the following APIs to improve website users’ privacy and help website owners comply with the GDPR.

Access and User Management

TYPO3 CMS has sophisticated user and group management in order to grant permission to required information only. Private data like orders or submitted forms are only visible to editors who need to interact with this data.

Password Hashes

TYPO3 developers can employ several different strong password hashing algorithms to secure user passwords. By using random salts, developers can avoid the possibility that an attacker could extract passwords from rainbow tables.

HTTPS/TLS

TYPO3 CMS Supports HTTPS/TLS which makes it possible to enforce a secure connection for frontend and backend users.

Individual Data Protection by GDPR Extension

Beyond my activities as a TYPO3 CMS core team member, I have also developed the GDPR extension to extend the basic functionality of TYPO3 core API. I provide support for the extension through a paid professional plan, which helps me maintain the extension and support those use it. There are two support tiers.

The free basic plan provides an API that controls visibility information based on a particular role (data owner, website visitor, website maintainer, etc.)

The professional plan includes sophisticated data protection as well as pseudonymization and anonymization.

Most important features are:

Randomize Data

Randomizing data is a good way to keep data but remove the personal or private information from it. This use case makes sense, for example, are e-commerce orders that should stay in the database to generate statistics like sales to specific countries.

GDPR extension editors can randomize data with a scheduler task. For example, randomizing orders older than 180 days. Or editors can manually randomize data as needed.

Flag, Hide & Remove Data

Editors can flag database records to identify those that hold sensitive data. After a record is “flagged”, it won’t be visible anymore, neither in the backend nor in the frontend—no matter which access level is granted to a user.

Control over flagged data is only given to specific editors. With an additional module they decide what happens to those records next:

Re-enable the record

Randomize the record

Delete the record

Extended Search

An extended search makes it possible to search for already deleted data. For example, GDPR editors can search for and identify sensitive data which still exists in the database, so they can manage it.

Log of Action

As GDPR extension users change settings or use the features, the extension logs all changes so changes can be reconstructed.

Improved Embedded YouTube & Vimeo Videos

Before videos from the platforms YouTube and Vimeo are actually loaded, the user is asked for consent. This improves the privacy and as an additional benefit also the loading time.

Conclusion

The TYPO3 CMS GDPR Initiative aims to make it easier for TYPO3 developers to create applications and websites that protect users by default and by design. In the short term, we’ve worked on essential improvements to TYPO3 CMS that helps clients, agencies, and integrators with tools to comply with these new European privacy laws. In addition, I’ve built an extension to take this default functionality a step further, and I provide support for website owners to improve their GDPR compliance.

About the Author

Georg Ringer

TYPO3 developer, Linz, Austria

Georg Ringer has been part of the TYPO3 community more than 10 years and is known for the large number of extensions he has published. He is part of the TYPO3 Core and Security Teams and is also the GDPR Initiative Lead.

Comments

Tim Schreiner

May 23rd, 2018

Hi, thanks for that great post and all the work from the people who are involved!
Maybe the cookie part can be edited, because there is currently a frontend feature in TYPO3, that sets a cookie that many users and also integrators might not be aware of. It's the form builder. When adding a form to the frontend, an fe_typo_user cookie is set because of the honeypot. The honeypots field name is generated using session data. Therefore, the session cookie has to be set.